Re: [Xen-devel] [PATCH 10/16] libelf: check all pointer accesses

[Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>]

Matthew Daley writes ("Re: [PATCH 10/16] libelf: check all pointer accesses"):
> On Tue, Jun 4, 2013 at 3:41 AM, Ian Jackson <ian.jackson@xxxxxxxxxxxxx> wrote:
> > +static int elf_ptrval_in_range(elf_ptrval ptrval, uint64_t size,
> > +                               const void *region, uint64_t regionsize)
> > +    /*
> > +     * Returns true if the putative memory area [ptrval,ptrval+size>
> > +     * is completely inside the region [region,region+regionsize>.
> > +     *
> > +     * ptrval and size are the untrusted inputs to be checked.
> > +     * region and regionsize are trusted and must be correct and valid.
> > +     */
> > +{
> > +    elf_ptrval regionp = (elf_ptrval)region;
> > +
> > +    if ( (ptrval < regionp) ||              /* start is before region */
> > +         (ptrval > regionp + regionsize) || /* start is after region */
> 
> Should be >=, not >, FWIW.

I think this is correct.

If size==0, ptrval == regionp+regionsize is OK.

If size>0 and ptrval==regionp+regionsize then
`regionsize - (ptrval - regionp)' is 0 and we fail.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel